Archive

Splunk Alert: how to retrieve search query and results from previous trigger

Communicator

I'm looking for a way to retrieve information from alert triggers that ran few days ago. info needed are : search query, time filter used for the query and query result. reason is that we are getting alert today that contains data that are days ago. thanks in advance for your help!

0 Karma

Motivator

Please click the setting at the right side top then click searches,report and alert
then enter the alert name in the filter and search
get the alert, here you can get query,time when it trigger etc
there is option "view recent search" just click it
here you can export the result

0 Karma

SplunkTrust
SplunkTrust

try and check in the _audit index or if still within time frame hit the "activity" dropdown on top tight and click "triggered alerts"

Communicator

thanks @adonio i got the event from the _audit and by clicking the 'event actions'--> 'show source' i was able to get more information. How can i extract the data below but dont know how to extract the actual search details for both of these events.

Audit:[timestamp=05-30-2018 01:26:40.497, user=splunk-system-user, action=search, info=granted REST: /search/jobs/rtschedulerZG9uLnBhdHJpY2subi5wZXBpdG8searchRMD59eb0161499e9b71cat1527059197_2.17][n/a]
Audit:[timestamp=05-30-2018 01:26:40.726, user=splunk-system-user, action=search, info=granted REST: /search/jobs/rtschedulerZG9uLnBhdHJpY2subi5wZXBpdG8searchRMD59eb0161499e9b71cat1527059197_2.18][n/a]

Can you please help me extracting the search query of these events?

0 Karma

SplunkTrust
SplunkTrust

try and search in the _internal or _audit indexes for the ZG9uLnBhdHJpY2subi5wZXBpdG8
search in verbose and look at the fields on the left. see if you have values for the field savedsearchname or something similar

0 Karma

Communicator

thanks for sharing...jobs were expired which probably the reason i'm having a hard time finding it...

0 Karma